//CONVERT #include <string.h> //CONVERT #include "crypto_sign.h" //CONVERT #include "crypto_hash_sha512.h" //CONVERT #include "ge.h" //CONVERT #include "sc.h" //CONVERT #include "zeroize.h" /* NEW: Compare to pristine crypto_sign() * Uses explicit private key for nonce derivation and as scalar, * instead of deriving both from a master key. */ public static int crypto_sign_modified( ISha512 sha512provider, byte[] sm, byte[] m, long mlen, byte[] sk, byte[] pk, byte[] random ) { byte[] nonce = new byte[64]; byte[] hram = new byte[64]; Ge_p3 R = new Ge_p3(); int count = 0; Array.Copy(m, 0, sm, 64, (int)mlen); Array.Copy(sk, 0, sm, 32, 32); /* NEW : add prefix to separate hash uses - see .h */ sm[0] = (byte)0xFE; for (count = 1; count < 32; count++) { sm[count] = (byte)0xFF; } /* NEW: add suffix of random data */ Array.Copy(random, 0, sm, (int)(mlen + 64), 64); sha512provider.calculateDigest(nonce, sm, mlen + 128); Array.Copy(pk, 0, sm, 32, 32); Sc_reduce.sc_reduce(nonce); Ge_scalarmult_base.ge_scalarmult_base(R, nonce); Ge_p3_tobytes.ge_p3_tobytes(sm, R); sha512provider.calculateDigest(hram, sm, mlen + 64); Sc_reduce.sc_reduce(hram); byte[] S = new byte[32]; Sc_muladd.sc_muladd(S, hram, sk, nonce); /* NEW: Use privkey directly */ Array.Copy(S, 0, sm, 32, 32); /* Erase any traces of private scalar or * nonce left in the stack from sc_muladd */ //zeroize_stack(); Zeroize.zeroize(nonce, 64); return(0); }
public static int crypto_vsign_modified(ISha512 sha512provider, byte[] sm, byte[] M, int Mlen, byte[] a, byte[] A, byte[] random, Ge_p3 Bv, byte[] V) { byte[] r = new byte[64]; byte[] h = new byte[64]; Ge_p3 R = new Ge_p3(); Ge_p3 Rv = new Ge_p3(); int count = 0; /* r = SHA512(label(3) || a || V || random(64)) */ sm[0] = 0xFC; for (count = 1; count < 32; count++) { sm[count] = 0xFF; } Array.Copy(a, 0, sm, 32, 32); /* Use privkey directly for nonce derivation */ Array.Copy(V, 0, sm, 64, 32); Array.Copy(random, 0, sm, 96, 64); /* Add suffix of random data */ sha512provider.calculateDigest(r, sm, 160); Sc_reduce.sc_reduce(r); Ge_scalarmult_base.ge_scalarmult_base(R, r); Ge_scalarmult.ge_scalarmult(Rv, r, Bv); /* h = SHA512(label(4) || A || V || R || Rv || M) */ sm[0] = 0xFB; Array.Copy(A, 0, sm, 32, 32); Array.Copy(V, 0, sm, 64, 32); byte[] R1 = new byte[32]; Array.Copy(sm, 96, R1, 0, 32); Ge_p3_tobytes.ge_p3_tobytes(R1, R); Array.Copy(R1, 0, sm, 96, 32); byte[] R2 = new byte[32]; Array.Copy(sm, 128, R2, 0, 32); Ge_p3_tobytes.ge_p3_tobytes(R2, Rv); Array.Copy(R2, 0, sm, 128, 32); Array.Copy(M, 0, sm, 160, Mlen); sha512provider.calculateDigest(h, sm, Mlen + 160); Sc_reduce.sc_reduce(h); Array.Copy(h, 0, sm, 0, 32); byte[] S = new byte[32]; Array.Copy(sm, 32, S, 0, 32); Sc_muladd.sc_muladd(S, h, a, r); Array.Copy(S, 0, sm, 32, 32); /* Erase any traces of private scalar or * nonce left in stack from sc_muladd. */ //zeroize_stack(); Zeroize.zeroize(r, 64); return(0); }